rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   fe0dde01a42673c3eda1933c38a8f78dbff6c1de
  2.   SOURCES
  3.   scap-security-guide-0.1.53-update_snmpd_no_default_password-PR_6050.patch
Blob Blame History Raw 
From 5ac59fa21c10ba7d87beefaa8c26099ddd73a0c3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 4 Sep 2020 15:51:47 +0200
Subject: [PATCH 1/6] make oval regex stricter

---
 .../snmpd_not_default_password/oval/shared.xml                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
index b617c7339d..1bc84e1a88 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
@@ -17,7 +17,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_snmp_default_communities" version="1">
     <ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>
+    <ind:pattern operation="pattern match">^((?!#).)*(public|private).*</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>

From 481cce33f5b148071e36d07a75291f5d39a8c02a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 4 Sep 2020 15:52:07 +0200
Subject: [PATCH 2/6] add tests

---
 .../snmpd_not_default_password/tests/both.fail.sh          | 6 ++++++
 .../snmpd_not_default_password/tests/commented.pass.sh     | 7 +++++++
 .../snmpd_not_default_password/tests/correct.pass.sh       | 6 ++++++
 .../snmpd_not_default_password/tests/private.fail.sh       | 5 +++++
 .../snmpd_not_default_password/tests/public.fail.sh        | 6 ++++++
 5 files changed, 30 insertions(+)
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh
new file mode 100644
index 0000000000..5b8efa3c75
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+yum -y install net-snmp
+
+echo "something public" >> /etc/snmp/snmpd.conf
+echo "something private" >> /etc/snmp/snmpd.conf
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh
new file mode 100644
index 0000000000..410d00f5a1
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+yum -y install net-snmp
+
+sed -i '/.*public.*/d' /etc/snmp/snmpd.conf
+sed -i '/.*private.*/d' /etc/snmp/snmpd.conf
+echo '# public' >> /etc/snmp/snmpd.conf
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh
new file mode 100644
index 0000000000..355cc8b71d
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+yum -y install net-snmp
+
+sed -i '/.*public.*/d' /etc/snmp/snmpd.conf
+sed -i '/.*private.*/d' /etc/snmp/snmpd.conf
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh
new file mode 100644
index 0000000000..c6bcf9b401
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+yum -y install net-snmp
+
+echo "something private" >> /etc/snmp/snmpd.conf
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh
new file mode 100644
index 0000000000..43022ba28c
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+yum -y install net-snmp
+
+echo "something public" >> /etc/snmp/snmpd.conf
+

From 9ad3734aa2c6a40fc8a6881d361e420faaaa1117 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 9 Sep 2020 11:19:46 +0200
Subject: [PATCH 3/6] add variables

---
 .../snmpd_not_default_password/bash/shared.sh      |  5 -----
 .../snmpd_not_default_password/rule.yml            |  1 +
 .../snmp_configure_server/var_snmpd_ro_string.var  | 14 ++++++++++++++
 .../snmp_configure_server/var_snmpd_rw_string.var  | 14 ++++++++++++++
 4 files changed, 29 insertions(+), 5 deletions(-)
 delete mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
deleted file mode 100644
index 4d5bc82282..0000000000
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol
-
-if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then
-	sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf
-fi
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
index 648f45caa2..72d2495713 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
@@ -7,6 +7,7 @@ title: 'Ensure Default SNMP Password Is Not Used'
 description: |-
     Edit <tt>/etc/snmp/snmpd.conf</tt>, remove or change the default community strings of
     <tt>public</tt> and <tt>private</tt>.
+    This profile configures new read-only community string to <tt>{{{ sub_var_value("var_snmpd_ro_string") }}}</tt> and read-write community string to <tt>{{{ sub_var_value("var_snmpd_rw_string") }}}</tt>.
     Once the default community strings have been changed, restart the SNMP service:
     <pre>$ sudo service snmpd restart</pre>
 
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var
new file mode 100644
index 0000000000..ac755d154f
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SNMP read-only community string'
+
+description: "Specify the SNMP community string used for read-only access."
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    default: changemero
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var
new file mode 100644
index 0000000000..7d2016a4dd
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SNMP read-write community string'
+
+description: "Specify the SNMP community string used for read-write access."
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    default: changemerw

From c2f193a43373900d65da6134325a8916a734c659 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 9 Sep 2020 18:03:31 +0200
Subject: [PATCH 4/6] add bash remediation

---
 .../snmpd_not_default_password/bash/shared.sh    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
new file mode 100644
index 0000000000..1b0474c07c
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019
+
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}
+
+# remediate read-only community string
+if grep -q 'public' /etc/snmp/snmpd.conf; then
+    sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf
+fi
+
+# remediate read-write community string
+if grep -q 'private' /etc/snmp/snmpd.conf; then
+    sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf
+fi

From 967f9eedd0dfac92d85c62231c13894964fafb5d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 11 Sep 2020 10:23:52 +0200
Subject: [PATCH 5/6] add ansible remediation

---
 .../ansible/shared.yml                        | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
new file mode 100644
index 0000000000..33062169cd
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
@@ -0,0 +1,21 @@
+# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+{{{ ansible_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}
+
+- name: "Replace all instances of SNMP RO strings"
+  replace:
+    path: "/etc/snmp/snmpd.conf"
+    #regexp: '^[#](.*)public(.*)$'
+    regexp: 'public'
+    replace: '{{ var_snmpd_ro_string }}'
+
+- name: "Replace all instances of SNMP RW strings"
+  replace:
+    path: "/etc/snmp/snmpd.conf"
+    #regexp: '^[#](.*)private(.*)$'
+    regexp: 'private'
+    replace: '{{ var_snmpd_rw_string }}'

From 946e540dadaf43eadb43479cc6328ee503e5d981 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 14 Sep 2020 07:30:56 +0200
Subject: [PATCH 6/6] remove forgotten commented lines

---
 .../snmpd_not_default_password/ansible/shared.yml               | 2 --
 1 file changed, 2 deletions(-)

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
index 33062169cd..d92c0a17da 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
@@ -9,13 +9,11 @@
 - name: "Replace all instances of SNMP RO strings"
   replace:
     path: "/etc/snmp/snmpd.conf"
-    #regexp: '^[#](.*)public(.*)$'
     regexp: 'public'
     replace: '{{ var_snmpd_ro_string }}'
 
 - name: "Replace all instances of SNMP RW strings"
   replace:
     path: "/etc/snmp/snmpd.conf"
-    #regexp: '^[#](.*)private(.*)$'
     regexp: 'private'
     replace: '{{ var_snmpd_rw_string }}'

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation